CiscoLive BRKAPP-3003

BRKAPP-3003
Troubleshooting the Application Control

Engine (ACE)
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKAPP-3003
2
Core Message
To understand the architecture and flow management is
to understanding how to troubleshoot the Application
Control Engine
3
Session Objective
At the End of the Session, You Will Be Able To:
ACE Architecture
Understand the ACE architecture and connectivity through ACE
Verify software images, licenses and image recovery
Use the real-time TCP-DUMP command
Implement management traffic protection
Understand access-list list on ACE
Flow Management
Understand the difference between L4 and L7 processing
Check for possible asymmetric flows
Understand high availability from the show commands
Provide layer 7 troubleshooting
Ability to monitor performance and troubleshoot resources
4
ACE Architecture
Discuss the Architecture
Functions of control plane and data plan
Common debugging commands
Packet Capturing on and logging
Traffic Forwarding on ACE
Management Traffic Protection
Flow Management
Connection Handling on ACE
Health Monitoring on ACE
High Availability on ACE
Layer 7 Troubleshooting and Performance
Session Agenda
2010 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation_ID
5
ACE Architecture
6
ACE Module Hardware Architecture
Switch
Fabric
Interface
16G
Daughter
Card 1
Daughter
Card 2
8G
8G
SSL
Crypto
10G
Network
Processor 1
Network
Processor 2
10G 10G
2G
Classification
Distribution
Engine
(CDE)
Console
port
Sup
Connect
100M
Control
Plane
Data Plane
7
Network Processer Micro-Engines
Receive + Fastpath(+ Transmit)
IP Reassembly + Timers + Syslog
Inbound Connection Manager
Outbound Connection Manager
Connection Close Management
TCP
HTTP
Application fixups
SSL Record Layer
Static and user-configurable REGEX
TCP Normalization + FixUps
Rx Fast
Path
Fast
Path
Fast
Path
Fast
Path
Fast
Path
IP Frag
Timers
ICM
OCM CCM TCP HTTP
HTTP SSL
Record
RegEx FixUps
TCP Norm.
CPU Xscale
8
Separation of Data and Management Traffic
Control-Path
Device control
Configuration manager (CLI, XML API, SSH, )
Server health monitoring (native probes, TCL scripts)
SYSLOGs, SNMP,
ARP, DHCP relay
High-Availability
Control path and data path run on
separate processors
Data-Path
Connection management
TCP termination
Access lists
SSL Offload
Regular expression matching
Load Balancing & forwarding
9
Traffic to the ACE
10
Traffic Flow to the CDE
The ACE has no native ports. The Switch Fabric
Interface forwards packets to the CDE
A packet comes in over the Switch Fabric Interface
marked with the VLAN and the L2 information
This is the TenGigabit Ethernet link (Te?/1, where ? is
the slot number)
Packets entering/leaving the ACE will traverse this link,
using VLAN tagging to indicate the VLAN
The CDE (Classification and Distribution Engine) fills out
the IMPH header and forwards traffic to the appropriate
blade subsystem (e.g., CP, NP1, NP2)
11
Traffic Flow to the CDE - Continue
The CDE hashes incoming packets to be forwarded to
either NP1 or NP2 based on the following:
TCP/UDP hash of source/destination port
Non TCP/UDP IP hash on source/destination IP address
NonIP hash on source/destination L2 MAC
All forwarding is done on the NPs.
These constitute two parallel forwarding paths which maintain
independent connection state and forward independently
12
Traffic to the ACE Control Plane
Traffic directed to the ACE itself is received on the
Control Plan. Useful statistics are:
Show netio stats and show fifo stats counting traffic
into/out of the CP
Show netio clients show applications which have registered
to receive traffic from the CDE
There are a number of useful context-specific
commands These are for ACE terminated traffic, and
do not measure traffic forwarded by the ACE!!
show ip traffic
show [protocol] statistics
protocol can be arp, udp, tcp, icmp
13
ACE in a Nutshell
14
ACE in a Nutshell
Cisco ACE provides many advanced load balancing features
Features consisting of interface and application security,
server offload, and application load balancing
15
Virtual Context Setup
Virtual contexts are virtualized ACEs. Each virtual context
has independent configuration and dedicated resources
assigned. One context can pull resources from another
Every ACE device contains a special virtual context called
"Admin. It is recommended that you create separate virtual
contexts for load balancing
The capacity of each
ACE virtual context
is determined by its
resource class
16
Common Debugging
17
Common Debugging
VIP is not responding
when trying to connect
If you try ping the VIP you
must configure
loadbalance vip icmp-reply
18
Common Debugging
Show command on the Catalyst 6500 Supervisor
show ver si on
show cl ock
show modul e
show power
show asi c sl ot <n>
show i nt er f ace TenGi gabi t Et her net <n>/ 1
show i nt er f ace TenGi gabi t Et her net <n>/ 1 t r unk
show svcl c vl an- gr oup
[ no] power enabl e <modul e>
Make sure the module status is OK
19
Common Debugging
Show command available on the ACE
show ver si on
show cl ock
show f t gr oup st at us
show i p i nt br
show i nt vl an <n>
show ar p
show ser vi ce- pol i cy
show ser ver f ar m
show r ser ver
show pr obe
show conn
show st at
show i p t r af f i c
show r esour ce usage
show np 1 me- st at s - s nor m
show np 1 me- st at s - s nor mM1
System Information
L2, L3
Performance,
Resources
Debugging
Flows
L4, L7
This provides the DELTA
20
Looking at the Normalization counters
Shows the DROP counters in Fast Path and TCP
swi t ch/ Admi n# show np 1 me-stats "-s norm" | i Drop
[ Dr ops] L2 i nval i d DA mac: 0
[ Dr ops] L4 por t i s zer o 0
[ Dr ops] TCP i nval i d conn mi ss f l ags: 0
[ Dr ops] TCP i nval i d f l ags: 0
[ Dr ops] TCP ur gent poi nt er deni ed: 0
[ Dr ops] TCP non- zer o r eser ved f i el d: 0
[ Dr ops] TCP syn dat a deni ed: 0
[ Dr ops] TCP non- syn opt i ons on syn: 0
[ Dr ops] TCP syn opt i ons on non- syn: 0
[ Dr ops] TCP no of deni ed opt i ons: 0
[ Dr ops] TCP opt i on l engt h wr ong: 0
[ Dr ops] f p TCP i nval i d ack i n synack: 0
[ Dr ops] f p TCP i nval i d ack f or synack: 0
[ Dr ops] f p TCP ack past seq: 0
[ Dr ops] f p TCP wi ndow l ef t edge: 0
[ Dr ops] f p TCP wi ndow r i ght edge: 0
[ Dr ops] f p TCP dat a past FI N: 0
[ Dr ops] f p TCP FI N has wr ong seq: 0
[ Dr ops] f p TCP RST has wr ong seq: 0
[ Dr ops] f p TCP RST has wr ong ack: 0
[ Dr ops] f p TCP ack > FI N_ACK exp: 0
[Drops] fp TCP exceeded MSS: 18
21
Show Module from the Catalyst 6500
Supervisor
cat 6k#show mod
Mod Ports Card Type Model Ser i al No.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 1 Application Control Engine 10G Module ACE10-6500-K9 SAD09350804
2 48 48 por t 10/ 100 mb RJ 45 WS- X6348- RJ - 45 SAD04450L44
5 2 Super vi sor Engi ne 720 ( Act i ve) WS- SUP720- 3BXL SAD08300D5L
Mod MAC addresses Hw Fw Sw St at us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 0001.0002.0003 to 0001.0002.000a 0.504 8.6(0.252-En 3.0(0)A1(2) Ok
2 00d0. d32e. 1b42 t o 00d0. d32e. 1b71 1. 5 5. 4( 2) 8. 5( 0. 46) RFWOk
5 000f . f 7be. b17c t o 000f . f 7be. b17f 4. 0 8. 1( 3) 12. 2( PP_R31_ Ok
Mod Sub-Module Model Ser i al Hw St at us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Pol i cy Feat ur e Car d 3 WS- F6K- PFC3BXL SAD083006N2 1. 3 Ok
5 MSFC3 Daught er boar d WS- SUP720 SAD082905VE 2. 1 Ok
Mod Online Diag Status
- - - - - - - - - - - - - - - - - - - - - - -
1 Pass
2 Pass
5 Pass
Module status shows OK
22
Verifying Version and Licenses
swi t ch/ Admi n# show version
Ci sco Appl i cat i on Cont r ol Sof t war e ( ACSW)
Software
l oader : Ver si on 12. 2[ 118]
syst em: Ver si on A2( 1. 0) [ build 3.0(0)A2(1.0)
syst emi mage f i l e: [ LCP] di sk0: c6ace- t 1k9- mz. A2_1. bi n
i nst al l ed l i cense: ACE-08G-LIC ACE-VIRT-250 ACE-SSL-15K-K9
Hardware
Cisco ACE (slot: 1)
cpu i nf o:
number of cpu( s) : 2
cpu t ype: Si Byt e
cpu: 0, model : Si Byt e SB1 V0. 2, speed: 700 MHz
cpu: 1, model : Si Byt e SB1 V0. 2, speed: 700 MHz
Installed Licenses
23
Available System Memory and Uptime
swi t ch/ Admi n# show version Continuation of output
[ . . . ]
memory info:
total: 958004 kB, free: 335372 kB
shar ed: 0 kB, buf f er s: 3540 kB, cached 0 kB
cf info:
f i l esyst em: / dev/ cf
t ot al : 499744 kB, used: 447136 kB, avai l abl e: 52608 kB
last boot reason: r el oad command by admi n
conf i gur at i on r egi st er : 0x1
ACE kernel uptime is 7 days 23 hours 42 minute(s) 25
second(s)
Displays ACE module uptime
24
What Licenses Are Installed
View the current licenses installed
swi t ch/ Admi n# show license
ACE- 250CTX- 08G- SSL- 15K. l i c:
SERVER t hi s_host ANY
VENDOR ci sco
INCREMENT ACE-08G-LIC ci sco 1. 0 per manent 1 \
VENDOR_STRI NG=<count >1</ count > HOSTI D=ANY \
NOTI CE="<Li cFi l eI D>20060523161924670</ Li cFi l eI D><Li cLi neI D>1
</ Li cLi neI D> <PAK></ PAK>" SI GN=76DA7526434A
INCREMENT ACE-SSL-15K-K9 ci sco 1. 0 per manent 1 \
NOTI CE="<Li cFi l eI D>20060523161924670</ Li cFi l eI D><Li cLi neI D>7
</ Li cLi neI D>
<PAK></ PAK>" SI GN=1077701CF92C
INCREMENT ACE-VIRT-250 ci sco 1. 0 per manent 1 \
Shows the license file installed
25
Installing New Licenses on ACE
Copy license file to disk0: on the ACE
swi t ch/ Admi n# dir disk0:
636 Apr 17 16: 04: 04 2007 ACE- 250CTX- 08G- SSL- 20K. l i c
236 Apr 17 16: 06: 54 2007 ACE-16G-LIC.lic
swi t ch/ Admi n# license ?
i nst al l I nst al l t he l i cense
uni nst al l Uni nst al l t he l i cense
updat e Updat e exi st i ng l i cense
License commands available on the ACE
License commands available on the ACE. Reload only
required when increase throughput on the ACE10
swi t ch/ Admi n# l i cense i nst al l di sk0: ACE-16G-LIC.lic
I nst al l i ng l i cense. . . done
26
ACE File System
Use the dir command to view directory listing for files
swi t ch/ Admi n# dir ?
cor e: Di r ect or y or f i l ename
di sk0: Di r ect or y or f i l ename
i mage: Di r ect or y or f i l ename
pr obe: Di r ect or y or f i l ename
vol at i l e: Di r ect or y or f i l ename
The internal File system is mapped as below
/ mnt / cf - I mage:
Also the following compressed file systems are used
/ TN- HOME = di sk0:
/ TN- CONFI G = St ar t up conf i g
/ TN- LOGFI LE = I nt er nal St or age f or audi t l ogs
/ TN- CERTKEY- STORAGE : i nt er nal st or age f or Cer t and Keys
/ TN- COREFI LE = cor e:
27
ACE File System
Load debug plug-in to access ACE file system
Startup configuration located at /mnt/cf/TN-CONFIG
ACE will generate / fix any missing or corrupted file
systems during boot
When to use the format command?
If you receive the following error
Warning!! This will erase everything in the compact flash including
startup configs for all the contexts and reboot the system!!
swi t ch/ Admi n# write memory
ERROR! conf i g f i l esyst emi s not mount ed on compact f l ash
28
Working with Core Files
If ACE creates a core file you can locate the files from the
core directory
All cores files are stored in dir core: (core names are self
explanatory)
swi t ch/ Admi n# dir core:
99756 Apr 5 17: 57: 05 2007 i xp2_cr ash. t xt
13047 Apr 5 17: 56: 59 2007 l oadBal ance_cor e_l og. t ar . g
Ixpx_crash.txt will have some details on the core dump
If it is a kernel crash , then a file named crashinfo wil be
available in core:
Show version wil show last reload reason
29
Invoke Context
To display the context running configuration information
from the Admin context, use the invoke context command
invoke context context_name show running-config
swi t ch/ Admi n# invoke context BreakingPoint show running-
config write memory
Gener at i ng conf i gur at i on. . . .
swi t ch/ Admi n# invoke context Exchange2010 show running-
config | include 192.168.1.1
Gener at i ng conf i gur at i on. . . .
i p addr ess 192. 168. 1. 11
i p addr ess 192. 168. 1. 12
al i as 192. 168. 1. 1 255. 255. 255. 0
Sandbox- Pod2- ACE20- 1/ Admi n#
30
System Logging
31
Logging Features
Each virtual context generates logs independently and
send to specified destinations
Syslog server, console, telnet/ssh, buffer, flash, supervisor, SNMP, NAT
Rate limiting of syslog messages is recommended. Never log to the
console using level 7
ACE will log connection setup/teardown at the connection speed
Access-List deny entries are logged
Use the terminal monitor command to display log message when not
using console
Useful commands to troubleshoot syslogging:
show logging statistics
show logging queue | last
32
Basic Configuration to Enable Logging
Enable logging on the ACE
logging enable
logging monitor 7
no logging message 111008
no logging message 111009
logging timestamp
do terminal monitor
It is recommended to disable or changing the severity
level of some syslog messages. Use logging message
syslog_id [level severity_level] command
To enable the logging of connection setup and teardown
messages, use the logging fastpath command. Use the
logging rate-limit to limit the rate at which the ACE
generates messages in the syslog
33
Real-Time
TCP Dump
34
Real-Time TCP Dump
Supportability and analysis of load balanced traffic is a
major requirement in today's load balanced environment
ACE can capture real-time packet information for the
network traffic that passes through the ACE
The attributes of the packet capture are defined by
an ACL
The ACE buffers the captured packets, and you can copy
the buffered contents to a file in flash memory on the ACE
or to a remote server
User can also display the captured packet information on
your console or terminal; capture can also be exported to
capture to Ethereal
35
Real-Time TCP Dump
To enable the packet capture on ACE use the capture
command
capture c1 interface vlan 211 access-list FILTER bufsize 64
Buffer in Kbytes
(can be circular)
Pre-defined ACL to
identify relevant traffic
Interface to apply
capture
One capture session per context
Capture triggered at flow setup
Capture configured on client interface where flow is
received
36
Real-Time TCP Dump
ACE can capture traffic based on a configured access-list
and interface
Follow the following procedure to capture traffic on ACE:
1. Specify an ACL
2. Capture on an interface or globally
access-list FILTER line 10 extended permit tcp any any eq www
capture c1 interface vlan 211 access-list FILTER
Show capture status show status and buffer size
swi t ch/ Admi n# show capture c1 status
Capt ur e sessi on : c1
Buffer size : 64 K
Ci r cul ar : no
Buf f er usage : 1. 00%
Status : stopped
37
Real-Time TCP Dump
Start the capture on the ACE
swi t ch/ Admi n# capture c1 start
23:40:37.236868 0: 12: 43: dc: 93: bb 0: 0: c: 7: ac: a 0800 58:
172. 16. 11. 190. 443 > 209. 165. 201. 11. 1180: S
1389739009: 1389739009( 0) ack 617249474 wi n 17408 <mss 1460>
( t t l 255, i d 2401, l en 44, bad cksum0! )
23:40:37.239102 0: 12: 43: dc: 93: bb 0: 0: c: 7: ac: a 0800 54:
172. 16. 11. 190. 443 > 209. 165. 201. 11. 1180: . ack 71 wi n 17408
( t t l 255, i d 2402, l en 40, bad cksum0! )
swi t ch/ Admi n# capture c1 stop
To copy the packet capture to disk0: use the copy capture
swi t ch/ Admi n# copy capture c1 disk0: c1
Maximum buffer size is 5MB of data
38
Traffic Forwarding on ACE
39
ACE Load Balancer Policy Lookup Order
There can be many features applied on a given interface,
so feature lookup ordering is important
The feature lookup order followed by
datapathin ACE is as follows:
1. Access-control (permit or deny a
packet)
2. Management traffic
3. TCP normalization/connection
parameters
4. Server load balancing
5. Fix-ups/application inspection
6. Source NAT
7. Destination NAT
The policy lookup order is implicit, irrespective of the order
in which the user configures policies on the interface
40
ACE in Router Mode
IP subnets cannot overlap within a context but can across
two contexts
Non-Load balanced traffic is routed. ACE needs to ARP
for destination before forwarding packet
Client MAC ACE MAC
Client IP VIP
Random Port VIP Port
ACE MAC Selected
Server MAC
Client IP Server IP
Random Port Server Port
41
ACE in Bridge Mode
Non-Load balanced connection are bridged from client to
server vlan
Client MAC ACE MAC
Client IP VIP
Random Port VIP Port
Client MAC Selected
Server MAC
Client IP Server IP
Random Port Server Port
42
Checking VLAN Configuration
Show interface provides you with valuable information
swi t ch/ Admi n# show interface vlan 211
vlan210 is up
Har dwar e t ype i s VLAN
MAC addr ess i s 00: 16: 36: f c: b3: 36
Virtual MAC address is 00:0b:fc:fe:1b:02
Mode : routed
I P addr ess i s 172. 16. 10. 21 net mask i s 255. 255. 255. 0
FT st at us i s act i ve
Descr i pt i on: WAN Si de
MTU: 1500 byt es
Last cl ear ed: never
Al i as I P addr ess i s 172. 16. 10. 23 net mask i s 255. 255. 255. 0
Peer I P addr ess i s 172. 16. 10. 22 Peer I P net mask i s 255. 255. 255. 0
Assigned on the physical port, up on the physical port
499707 uni cast packet s i nput , 155702918 byt es
1485258 mul t i cast , 5407 br oadcast
0 i nput er r or s, 0 unknown, 0 i gnor ed, 0 uni cast RPF dr ops
497610 uni cast packet s out put , 46804782 byt es
6 mul t i cast , 8201 br oadcast
0 out put er r or s, 0 i gnor ed
43
MAC Addresses
Virtual MAC (VMAC) is used for the alias IP, VIP
address
Alias IP and Virtual IP (VIP) are associated with a
VMAC only if high availability is configured
Active context responds to ARPs for alias IP with
VMAC
One unique VMAC per FT Group 00:0b:fc:fe:1b:XX
(XX=FT group number in hex)
Packets destined to the VMAC are blocked on standby
context
44
MAC Addresses
The VMAC is a function of ft-group-id. Therefore
different cards must have different ft-group-ids
Use the show interface internal iftable to locate the
VMAC
Each ACE supports 1,024 shared VLANs, and uses
only one bank of MAC addresses randomly selected at
boot time
ACEs may select the same address bank so avoid this
conflict use the shared-vlan-hostid command
45
Key Things to Know About ARP on ACE
For unicast packets, if the destination MAC is unknown
ACE will drop the packet, instead of flooding it
So IP-address-to-MAC mapping and outgoing interface
needs to happen first
ARP entries are populated as follows:
With ARP requests
Learning through incoming ARP requests
Gratuitous ARP packets
Layer 2 mode:
No MAC learning
So ARP is the way to learn IP to MAC and interface mapping
46
How to Read the ARP Table
Each virtual context maintains its own ARP table
swi t ch/ Admi n# show arp
Context Exchange
=======================================================================
I P ADDRESS MAC-ADDRESS I nt er f ace Type Encap Next Ar p( s) Status
=======================================================================
172. 16. 11. 1 00. 00. 0c. 07. ac. 0a vl an211 GATEWAY 226 87 sec up
172. 16. 11. 19 00. 12. 43. dc. 83. bb vl an211 I NTERFACE LOCAL _ up
172. 16. 11. 190 00. 12. 43. dc. 83. bb vl an211 VSERVER LOCAL _ up
192. 168. 1. 1 00. 0a. b8. 66. 60. 85 vl an411 I NTERFACE LOCAL _ up
192. 168. 1. 11 00.50.56.12.11.01 vl an411 RSERVER 230 87 sec up
192. 168. 1. 12 00. 50. 56. 12. 11. 01 vl an411 RSERVER 229 87 sec up
192. 168. 20. 254 00. 0a. b8. 66. 60. 85 bvi 2 I NTERFACE LOCAL _ up
==================================================================
Total arp entries 11
ARP table shows the type of ARP entry from
Gateway, Interface, VSERVER, RSERVER
47
Admin Context Resource Reservation
48
If Admin context is not configured correctly admin could
be starved of all resources
When configuring resource allocations in ACE, it is possible to
allocate 100% of resources to non-Admin contexts, so that the
Admin context is no longer reachable via ICMP, telnet, SNMP, etc
It also appears that in some cases this will cause FT
between a pair of HA ACE modules to fail, and create an
active/active situation
Highly recommended to put some safe guard in place to
ensure that the Admin context always receives at least a
small percentage of resources
49
Shows starved admin context
swi t ch/ Admi n# show arp
Context Admin
=============================================================================
I P ADDRESS MAC- ADDRESS I nt er f ace Type Encap Next Ar p( s) St at us
=============================================================================
10. 87. 102. 225 00.00.00.00.00.00 vl an621 GATEWAY - * 2 r eq up
10. 87. 102. 229 00. 0b. f c. f e. 1b. 01 vl an621 ALIAS LOCAL _ up
10. 87. 102. 230 00. 0a. b8. 71. 2f . ef vl an621 INTERFACE LOCAL _ up
172. 16. 0. 1 00. 0a. b8. 71. 2f . ef vl an999 INTERFACE LOCAL _ up
172. 16. 0. 2 00. 05. 9a. 3b. 92. e9 vl an999 LEARNED 18 * 2 r eq up
=============================================================================
Tot al ar p ent r i es 5
swi t ch/ Admi n# ping 10.87.102.225
Pi ngi ng 10. 87. 102. 225 wi t h t i meout = 2, count = 5, si ze = 100 . . . .
No r esponse r ecei ved f r om10. 87. 102. 225 wi t hi n l ast 2 sec
No r esponse r ecei ved f r om10. 87. 102. 225 wi t hi n l ast 2 sec
2 packet sent , 0 r esponses r ecei ved, 100% packet loss
Unable to reach ACEs default gateway
50
Shows starved resources and drops for throughput
swi t ch/ Admi n# show resource usage context Admin
Al l ocat i on
Resour ce Cur r ent Peak Mi n Max Deni ed
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Context: Admin
conc- connect i ons 9 9 0 0 0
mgmt - connect i ons 2 12 0 0 0
pr oxy- connect i ons 0 0 0 0 0
xl at es 0 0 0 0 0
bandwidth 0 4715 0 0 3704068
throughput 0 4247 0 0 3704068
mgmt-traffic rate 0 468 0 125000000 0
connect i on r at e 0 7 0 0 8
ssl - connect i ons r at e 0 0 0 0 0
mac- mi ss r at e 0 1 0 0 0
i nspect - conn r at e 0 0 0 0 0
acl - memor y 26816 26880 0 0 0
st i cky 0 0 0 0 0
r egexp 0 0 0 0 0
sysl og buf f er 1024 4096 0 1024 0
sysl og r at e 0 7 0 0 118
No resources reserved
51
Shows heartbeats missed increasing. Heartbeats are
not reaching the peer. Possibility for both Aces to go
Active/Active
swi t ch/ Admi n# sh ft stats
HA Hear t beat St at i st i cs
- - - - - - - - - - - - - - - - - - - - - - - -
Number of Hear t beat s Sent : 1095573
Number of Hear t beat s Recei ved : 1095239
Number of Heartbeats Missed : 2987
Number of Uni di r ect i onal HB' s Recei ved : 2640
Number of HB Ti meout Mi smat ches : 0
Numof Peer Up Event s Sent : 1
Numof Peer Down Event s Sent : 1
Successi ve HB' s mi ss I nt er val s count er : 0
Successi ve Uni HB' s r ecv count er : 0
52
Below shows the problem why ACE is starved of all
resources
r esour ce- cl ass admi n
l i mi t - r esour ce al l minimum 0.10 maxi mumequal-to-min
Suggest the following reserved resources for Admin
r esour ce- cl ass Admi n
l i mi t - r esour ce conc- connect i ons min 5.00 max equal-to-min
l i mi t - r esour ce mgmt - connect i ons min 5.00 max equal-to-min
l i mi t - r esour ce r at e bandwi dt h min 5.00 max equal-to-min
l i mi t - r esour ce r at e ssl - connect i ons min 5.00 max equal-to-min
l i mi t - r esour ce r at e mgmt - t r af f i c min 5.00 max equal-to-min
l i mi t - r esour ce r at e conc- connect i ons min 5.00 max equal-to-min
53
Access-Control Lists
54
ACL Merge Process and Enhancements
New ACL merge enhancements added to the ACE
ACL merge is responsible for merging all the features and
generating a single merged list for an given interface. ACL
compiler is responsible for programming the merged list into
MTrie data structure Fast retrieval of data
ACL memory usage has been optimized to better support
incremental changes
The new implementation provides a consistent ACL memory
usage during system bootup time and during incremental
changes after the system comes up
This feature also provides an early detection of failure if the
configuration needs more ACL resources than what system
can support
55
View Total Action Nodes
Use the show np 1 access-list resource to view action
nodes
swi t ch/ Admi n# show np 1 access-list resource
ACL Tr ee St at i st i cs f or Cont ext I D: 3
=======================================
ACL memor y max- l i mi t : None
ACL memor y guar ant ee: 0. 00 %
MTr i e nodes( used/ guar ant eed/ max- l i mi t ) :
6 / 0 / 262143 ( compr essed)
2 / 0 / 21999 ( uncompr essed)
Leaf Head nodes ( used/ guar ant eed/ max- l i mi t ) :
3 / 0 / 262143
Leaf Par amet er nodes ( used/ guar ant eed/ max- l i mi t ) :
7 / 0 / 524288
Policy action nodes used: 4
memor y consumed: 4696 byt es r esour ce- l i mi t ed 128 byt es ot her
4824 byt es t ot al .
mi n- guar ant ee: 0 byt es t ot al .
max- l i mi t : 78610432 byt es t ot al , 0 %consumed
The total policy action nodes
counts for ACE:
ACE Module - 200k
ACE 4710 Appliance - 40k
56
Troubleshooting Secure Socket Layer
(SSL)
57
Troubleshooting SSL
Configuration of SSL on ACE is relatively simply. However
if you experience issue how do you troubleshoot?
Make sure the certificate and key used in ssl-proxy are
valid. Use the crypto verify command
swi t ch/ Admi n# crypto verify RSA2048.key RSA2048.cert
Keypai r i n RSA2048. key matches cer t i f i cat e i n RSA2048. cer t
Check the size and location of the key. Use the show
crypto key command
swi t ch/ Admi n# show crypt key all
Fi l ename Bi t Si ze Type
- - - - - - - - - - - - - - - - - - - -
RSA2048.key 2048 RSA
58
Troubleshooting SSL
Looking at the certificate details. Use the show crypto
certificate command
swi t ch/ Admi n# show crypto certificate cisco-sample-cert
Cer t i f i cat e:
Dat a:
Version: 3 ( 0x2)
Ser i al Number :
ad: e4: e2: f 1: 50: b7: ce: bd
Si gnat ur e Al gor i t hm: sha1Wi t hRSAEncr ypt i on
Issuer: C=I N, ST=KA, L=BLR, O=CI SCO, OU=ADBU, CN=SSL- TEST
Validity
Not Bef or e: Apr 3 09: 50: 55 2009 GMT
Not Af t er : Apr 1 09: 50: 55 2019 GMT
Subject: C=I N, ST=KA, L=BLR, O=CI SCO, OU=ADBU, CN=SSL- TEST
Subject Public Key Info:
Publ i c Key Al gor i t hm: r saEncr ypt i on
RSA Public Key: ( 1024 bi t )
Modul us ( 1024 bi t ) :
00: cf : a2: 60: 66: 5b: ce: b6: 38: 6f : 94: df : 0d: 1c: 61:
26: af : 7a: 05: 49: ed: 8d: 93: 3b
Exponent : 65537 ( 0x10001)
59
Troubleshooting SSL CRL Download
Check to make sure you can download the CRL
swi t ch/ Admi n( conf i g- ssl - pr oxy) # do show crypto crl test2 detail
t est 2:
URL: ht t p: / / 119. 60. 60. 23/ t est . cr l
Last Downl oaded ( Cached) : Sat Aug 8 16: 14: 24 2009 UTC
Total Number Of Download Attempts: 1
Failed Download Attempts: 0
Successful Loads: 1 Fai l ed Loads: 0
Hour s si nce Last Load: 0 No I P Addr Resol ut i ons: 0
Host Ti meout s: 0 Next Updat e I nval i d: 0
Next Updat e Expi r ed: 0 Bad Si gnat ur e: 0
CRL Found- Fai l ed t o l oad: 0 Fi l e Not Found: 0
Memor y Out age f ai l ur es: 0 Cache Li mi t f ai l ur es: 0
Conn f ai l ur es: 0 I nt er nal f ai l ur es: 0
Not El i gi bl e f or downl oad: 3 HTTP Read f ai l ur es: 0
HTTP Wr i t e f ai l ur es: 0
Looking for all best-effort CRLs in the system and their
download status. Use the show crypto crl best-effort
command
60
Advanced SSL Debugging
This command provides the current crypto statistics
swi t ch/ Admi n# sh np 1 me-stats "-s crypto
Cr ypt o St at i st i cs: ( Cur r ent )
- - - - - - - - - - - - - - - - - -
ARC4 oper at i ons: 376572 0
TCP msgs r ecei ved: 285260 0
APP msgs r ecei ved: 235151 0
Ni t r ox messages f or war ded t o XScal e: 381041 0
SSL ct x al l ocat ed: 47758 0
SSL ct x f r eed: 47758 0
SSL r ecei ved byt es: 61070430 0
SSL t r ansmi t t ed byt es: 283256220 0
SSL r ecei ved appl i cat i on byt es: 7679113 0
SSL t r ansmi t t ed appl i cat i on byt es: 275120867 0
SSL r ecei ved non- appl i cat i on byt es: 53391317 0
SSL t r ansmi t t ed non- appl i cat i on byt es: 3292887 0
Bul k f l ush oper at i ons: 95037 0
ME r ecor ds sent t o XScal e: 285808 0
ME r ecor ds r ecei ved f r omXScal e: 47723 0
ME hw r esponses: 471516 0
Fi r st segment s r ecei ved: 47400 0
Handshake failure alert: 94 0
CM cl ose: 446 0
61
Advanced SSL Debugging
The show stats crypto server command provides
statistics of the SSL handshake
swi t ch/ Admi n# show stats crypto server
+- - - - Cr ypt o ser ver t er mi nat i on st at i st i cs - - - - - +
+- - - - - - - Cr ypt o ser ver al er t st at i st i cs - - - - - - - - +
+- - - Cr ypt o ser ver aut hent i cat i on st at i st i cs - - - +
+- - - - - - - Cr ypt o ser ver ci pher st at i st i cs - - - - - - - +
+- - - - - - Cr ypt o ser ver r edi r ect st at i st i cs - - - - - - +
+- - - - Cr ypt o ser ver header i nser t st at i st i cs - - - +
These statistics provide details of the SSL packets for
example; which version client interacted with ACE,
which cipher is used, whether re-handshake happened,
whether session id reuse happened and which SSL
alerts are received or sent by ACE
62
Connection Handling on ACE
63
Flow Management
Level of Flow Processing Type of Processing Feature of Function
Layer 3 and Layer 4 Balance of first packet Basic Load Balancing
Applies to TCP/UDP for layer 4 rules Source IP Sticky
Applies to all other IP protocols TCP/IP Normalization
Select server or farm based on
source IP
Layer 7 TCP Splicing Terminate TCP Connection HTTP Layer 7 rules of first request
(URL LB)
Buffer request, inspect, LB Cookie Sticky (Persistence)
Create Hardware Shortcut Generic TCP Payload Parsing
Layer 7 Re-proxy TCP Splicing +ability to parse
subsequent HTTP requests within
the same TCP
HTTP Layer 7 rules with HTTP
1.1 connections keepalive
(persistence rebalance)
Layer 7 Full-Proxy Fully terminate clients connection SSL Offload
TCP re-use
HTTP 1.1 Pipelining
Protocol Inspection (FTP,SIP)
64
Internal Mapping of TCP/UDP Flows
TCP and UDP Flows = 2 X Internal Half Flows
swi t ch/ Admi n# show conn
conn-id np dir proto vlan source destination stat
-------------+--+----+--------+-----+--------------------------+-------------------------------+---------+
9 1 In TCP 211 209.165.201.11:1867 172.16.11.190:80 ESTAB
6 1 Out TCP 411 192.168.1.11:80 209.165.201.11:1867 ESTAB
Client IP:port VIP Address
Server IP Returning half flow
automatically created for
both TCP and UDP flows
INIT, SYNACK,
ESTAB, CLOSED
SYN_SEEN, SYN_SEEN,
ESTAB, CLOSED
Non TCP shows as --
Use conn-id
to track flow
through ACE
Check the
Network
Processor
65
Troubleshooting Connections
Use the show stats connection command to show
connections statistics.
Use the clear stats connection command to clear these
counters
swi t ch/ Admi n# show stats connection
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
+- - - - - - - Connection statistics - - - - - - - - - - - - +
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
Tot al Connect i ons Cr eat ed : 288232
Total Connections Current : 2
Total Connections Destroyed: 283404
Total Connections Timed-out: 892
Total Connections Failed : 3934
Note: ACE does not destroy connection. These are
connections closed correctly!!!
66
Troubleshooting Connections
Use the show stats loadbalance command to view the
loadbalance statistics
To clear the load balance statistical information stored in the
ACE buffer, use the clear stats loadbalance command
swi t ch/ Admi n# show stats loadbalance
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
+- - - - - - - Loadbal ance st at i st i cs - - - - - - - - - - - - - - - - - - - - - - +
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
Tot al ver si on mi smat ch : 0
Total Layer4 decisions : 0
Total Layer4 rejections : 0
Total Layer7 decisions : 24
Tot al Layer 7 r ej ect i ons : 0
Tot al Layer 4 LB pol i cy mi sses : 0
Tot al Layer 7 LB pol i cy mi sses : 0
Tot al t i mes r ser ver was unavai l abl e : 0
Tot al ACL deni ed : 0
67
Troubleshooting VIP
swi t ch/ Admi n# show service-policy client-vips detail
St at us : ACTI VE
Descr i pt i on: -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Interface: vlan 211
ser vi ce- pol i cy: cl i ent - vi ps
cl ass: VI P- HTTPS
VI P Addr ess: Pr ot ocol : Por t :
172.16.11.190 tcp eq 443
l oadbal ance:
L7 l oadbal ance pol i cy: HTTPS- POLI CY
VI P Rout e Met r i c : 77
VI P Rout e Adver t i se : DI SABLED
VI P I CMP Repl y : ENABLED- WHEN- ACTI VE
VIP State: INSERVICE
curr conns : 22 , hit count : 22
dr opped conns : 0
cl i ent pkt count : 0 , cl i ent byt e count : 0
ser ver pkt count : 0 , ser ver byt e count : 0
max- conn- l i mi t : 0 , dr opcount : 0
conn- r at e- l i mi t : 0 , dr opcount : 0
bandwi dt h- r at e- l i mi t : 0 , dr opcount : 0
L7 Loadbal ance pol i cy : HTTPS- POLI CY
cl ass/ mat ch : cl ass- def aul t
LB act i on :
pr i mar y ser ver f ar m: backend- ssl
backup ser ver f ar m: -
hit count : 22
dr opped conns : 0
First command you
show use view
connection to VIP
68
Troubleshooting Serverfarm
swi t ch/ Admi n# show serverfarm HTTPS-FARM detail
ser ver f ar m : HTTPS- FARM, t ype: HOST
t ot al r ser ver s : 4
act i ve r ser ver s: 4
descr i pt i on : -
state : ACTIVE
predictor : ROUNDROBIN
f ai l act i on : -
back- i nser vi ce : 0
par t i al - t hr eshol d : 0
numt i mes f ai l over : 0
numt i mes back i nser vi ce : 0
t ot al conn- dr opcount : 0
- - - - - - - - - - connect i ons- - - - - - - - - - -
r eal wei ght st at e cur r ent t ot al f ai l ur es
- - - +- - - - - - - - - - - - - - - - - - - - - +- - - - - - - - +- - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - - +- - - - - -
rserver: linux-1
192.168.1.11:0 8 OPERATIONAL 0 0 0
max- conns : - , out - of - r ot at i on count : -
mi n- conns : -
conn- r at e- l i mi t : - , out - of - r ot at i on count : -
bandwi dt h- r at e- l i mi t : - , out - of - r ot at i on count : -
r et code out - of - r ot at i on count : -
Best command for
checking server
status and load
69
Layer 7 Troubleshooting
70
Layer 7 Policy Hits
Expanding the show service-policy using the detail
option to provide hit count for layer 7 matches
swi t ch/ Admi n# show service-policy client-vips detail
St at us : ACTI VE
Descr i pt i on: -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Interface: vlan 211
ser vi ce- pol i cy: cl i ent - vi ps
L7 Loadbal ance pol i cy : psl b
class-map : cur l 1
LB act i on :
ser ver f ar m: s1
hit count : 3
dr opped conns : 0
class-map : cur l 2
LB act i on :
ser ver f ar m: s2
hit count : 0
dr opped conns : 0
Shows hit count for layer 7
load balanced policy
71
Match URL Hit Count
Expanding the show service-policy using the url-
summary option to provide visibility on which match http url
are getting hit
swi t ch/ Admi n# show service-policy url-summary
Ser vi ce- Pol i cy: VI RTUAL- HOSTI NG- 01 L3- Cl ass: WEB- SSL L7-Class: A1
mat ch ht t p ur l / ECBACCOUNTI NQUI RY_V5/ . * hit: 42
Ser vi ce- Pol i cy: VI RTUAL- HOSTI NG- 01 L3- Cl ass: WEB- SSL L7-Class: A2
mat ch ht t p ur l / AADSLI CER/ . * hit: 93
mat ch ht t p ur l / ANALYSI SHELP/ . * hit: 102
mat ch ht t p ur l / BOXI R2/ . * hit: 67
mat ch ht t p ur l / BUSI NESSOBJ ECTS/ . * hit: 78
mat ch ht t p ur l / DSWSBOBJ E/ . * hit: 84
Use the show service-policy <service-policy-name>
class-map <L3-class map-name> url-summary to provide
better granularity
72
Troubleshooting HTTP Statistics
To effectively troubleshoot HTTP use the show stat http
command
swi t ch/ Admi n# show stats http
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
+- - - - - - - - - - - - - - HTTP statistics - - - - - - - - - - - +
+- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
LB par se r esul t msgs sent : 6288 , TCP dat a msgs sent : 9143
I nspect par se r esul t msgs : 0 , SSL dat a msgs sent : 6041
TCP f i n/ r st msgs sent : 135 , Bounced f i n/ r st msgs sent : 19
SSL f i n/ r st msgs sent : 13 , Unpr oxy msgs sent : 0
Dr ai n msgs sent : 3107 , Par t i cl es r ead : 37917
Reuse msgs sent : 1539 , HTTP r equest s : 3145
Reproxied requests : 0 , Headers removed : 1549
Headers inserted : 1598 , HTTP redirects : 2
HTTP chunks : 0 , Pi pel i ned r equest s : 0
HTTP unpr oxy conns : 0 , Pi pel i ne f l ushes : 0
Whi t espace appends : 0 , Second pass par si ng : 0
Response ent r i es r ecycl ed : 3032 , Anal ysi s er r or s : 0
Header insert errors : 1509 , Max par sel en er r or s : 0
Static parse errors : 9 , Resour ce er r or s : 0
I nval i d pat h er r or s : 0 , Bad HTTP ver si on er r or s : 0
73
Troubleshooting HTTP Cookies
ACE parses HTTP requests for cookies with the name
given in the configuration and can skip a certain number of
bytes and look for another specific number of bytes.
If the cookie is not found, then the ACE looks for a string
in the URL, starting with one of the characters /?&#+ and
followed by a "=", then parses that value.
If no cookie or HTTP URL cookie exists ACE defaults to the
predictor for that farm
ACE can parse up to HTTP headers (includes cookies) up
to 64kB (default header max parse length is 2048k)
Make sure that the sticky timeout matches the session
timeout on the application
74
Troubleshooting TCP Connection Re-Use
When using TCP conn re-use,"Connection: keep-alive" is
inserted and "Connection: close" is removed from the
clients HTTP request, to avoid closing the server
connection early
User needs to create a layer 7 class-map and configure
Source Nat when using TCP conn re-use
cl ass- map t ype ht t p l oadbal ance mat ch- any L7- RE- USE
2 mat ch ht t p ur l . *
Use the show stats http | include Reuse counters to
check if see if TCP Re-uses is getting used
swi t ch/ Admi n# show stats http | include Reuse
Reuse msgs sent : 1 , HTTP r equest s : 4
75
76
Fundamentals for ACE probing
ACE probes are fundamental to the system. It is key to not
oversubscribe the ACE health monitoring system
Use the show resource internal socket to determine how
many open sockets the ACE has open. This is a Admin
command
swi t ch/ Admi n# show resource internal socket
Appl i cat i on MaxLi mi t Cur r ent Cr eat es Fr ees
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
SYSTEM 4000 0 0 0
CRI TI CAL 50 0 0 0
AAA 256 0 0 0
MGMT 256 0 0 0
XI NETD 512 1 12 11
HEALTH_MON 2500 532 193494 192962
USER_TCL 200 0 0 0
SYSLOG 256 10 14 4
VSH 256 0 0 0
Over Al l - 650 194812 194162
Non Reg App Usage: 107
77
Health Monitoring Process
If you see probing issues check the health monitoring
process. The show proc cpu command provide very
useful information
swi t ch/ Admi n# show proc cpu
CPU utilization for five seconds: 30%; one minute: 37%; five minutes: 35%
PI D Runt i me( ms) I nvoked uSecs 1Sec 5 Sec 1 Mi n 5 Mi n Pr ocess
972 1072965 613352 1749 35.9 18.5% 21.67% 20.90% arp_mgr
HM process is only consuming 1.40%. Why is the
control plane CPU running at 30%? Check what
process is running at 30%
swi t ch/ Admi n# show proc cpu
CPU utilization for five seconds: 30%; one minute: 37%; five minutes: 35%
PI D Runt i me( ms) I nvoked uSecs 1Sec 5 Sec 1 Mi n 5 Mi n Pr ocess
987 90257 57805 1561 0. 0 1. 40% 1. 46% 1. 43% hm
988 90198 58952 1530 0. 0 1. 49% 1. 49% 1. 44% hm
989 851 2947 288 0. 0 0. 0 % 0. 1 % 0. 0 % hm
990 0 2 56 0. 0 0. 0 % 0. 0 % 0. 0 % hm
78
Use the show probe detail command to determine the
status of the probe or possible last failure
swi t ch/ Admi n# show probe detail Cut output
- - - - - - - - - - - - - - - - - - - - - pr obe r esul t s - - - - - - - - - - - - - - - - - - - -
pr obe associ at i on pr obed- addr ess pr obes f ai l ed passed heal t h
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - - - - - +- - - - - - -
r ser ver : CAS1
10. 7. 53. 55 24 24 0 FAILED
Socket st at e : CLOSED
No. Passed st at es : 0 No. Fai l ed st at es : 1
No. Pr obes ski pped : 0 Last status code : 403
No. Out of Socket s : 0 No. I nt er nal er r or : 0
Last di sconnect er r : Received invalid status code
Last pr obe t i me : Wed Nov 25 18: 48: 16 2009
Last f ai l t i me : Wed Nov 25 18: 25: 16 2009
Last act i ve t i me : Never
79
High Availability on ACE
80
High Availability Basic building blocks
FT PEER
Only one FT peer per ACE device
1:1 peer relationship
FT GROUP
One FT group per ACE virtual context
FT VLAN
Designated VLAN between the redundant peers
All HA related traffic sent over this VLAN
FT VLAN can be trunked between two Catalyst 6500 Chassis
Cannot be used for normal traffic
Admin
Context
Context A
Context B
Context A
Context B
ACE2 (FT PEER)
FT VLAN
FT Group 2
FT Group 3
ACE1 (FT PEER)
FT Group 1
81
High Availability Control Traffic
TCP Connection between FT Peers
State Machine (Election, Preempt, Relinquish)
Configuration sync
State Sync for ARP
HA KeepAlives
Heartbeats between FT peers
Heartbeats are sent over UDP
Monitors the health of the peer
Heartbeat interval and count are configurable
82
ACE High Availability State Machine
Active Standby Election (assuming both peers are
initialized at same time)
Based on a priority scheme
Member with highest priority becomes ACTIVE
Other member enters the STANDBY_CONFIG state
If priorities are equal, member with the higher IP address wins
STANDBY_CONFIG State
Startup Configuration Sync from Active to Standby
Running Configuration Sync from Active to Standby
Knob to turn on/off
83
STANDBY_BULK State
ARP Sync (knob to turn on/off)
Connection Table Sync
Sticky Database Sync (knob to turn on/off)
STANDBY_HOT State
Standby FT group member is ready to take over
Incremental Configuration Sync from Active to Standy
Incremental State Sync from Active to Standby
STANDBY_COLD State
Due to error during Config Sync or Incremental Config Sync
No Config or State Sync happens from Active to Standby
84
Mismatch in software version
FT Peer maybecome INCOMPATIBLE (SRG Check)
ACTIVE ACTIVE state on both FT group members
Mismatch in Virtual Context Licenses
Configuration Sync (all types) for Admin context is disabled
State Sync for Admin context will continue to happen
For matching user contexts Configuration State Sync will work
Mismatch in Other Licenses
Configuration and State Sync will work
After switchover, new Active will handle traffic as per its licenses
85
ACE Redundancy Query VLAN
Query VLAN can be configured as an alternate path for
pinging the peer when no heat beat is being received from
redundant peer
If configured, upon receiving a PEER_DOWN message
from the heat beat process, the ACE data-plane tries to do
a ping to the destination via the Query VLAN
If Ping fails, the Standby will transition to the ACTIVE state
If Ping succeeds, the Standby will transition to a
STANDBY_COLD state
To configure a query interface, enter the following:
swi t ch/ Admi n( conf i g- f t - peer ) # query-interface vlan 110
86
Common Debugging - Concussion
This session should provide
you with some directions on
where to start troubleshooting
ACE!!
87
Recommended Reading
88
Complete Your Online
Session Evaluation
Give us your feedback and you
could win fabulous prizes.
Winners announced daily.
Receive 20 Cisco Preferred
Access points for each session
evaluation you complete.
Complete your session
evaluation online now (open a
browser through our wireless
network to access our portal)
or visit one of the Internet
stations throughout the
Convention Center.
Dont forget to activate your
Cisco Live and Networkers Virtual
account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.
90
Appendix
91
Layer 4 Flow Setup
SYN
SYN_ACK
Shortcut
ACK
Shortcut
Data
Shortcut
Data
Shortcut
Matches Existing
Flow
Rewrites L2/L3/L4
Matches VIP
Selects Server
Rewrites
L2/L3/L4
Basic Load Balancing
Source IP sticky
TCP/IP Normalization
92
Layer 7 Flow Setup
Client Connects to L7 VIP
SYN
Starts
Buffering
ACK
Data
ACKs Client Packets
Keeps Buffering
Matches VIP w/L7
logic
Chooses SEQ #
Replies w/SYN_ACK
HTTP L7 rules on first request
(cookie sticky, URL parsing, )
Generic TCP payload parsing
93
Layer 7 Flow SetupContinue
ACE Establishes Connection to Server
Data
SYN_ACK
Empties Buffer
Sends Data to Server
Acts as Client
Does Not Forward
SYN_ACK
Parses the Data
Selects Server
Initiates TCP
94
Layer 7 Flow SetupContinue
ACE Splices the Flows (UNPROXY)
ACK
Data
Shortcut
ACK
Shortcut
Data
Shortcut
Matches Existing Flow
Rewrites L2/L3/L4
and SEQ/ACK
Does Not Forward ACK
Ready to
Splice the Flows
95
Layer 7 Flow Setup
ACE Reproxies the Connection
ACK
Data
ACK
Data
Shortcut
ACK
Shortcut
Shortcut
Shortcut
Data
REPROXY
ACKs GET & Buffer
HTTP L7 rules with HTTP 1.1

connection keepalive
( persistence rebalance )
96
Layer 7 Flow Setup
ACE Acts as a Full Proxy
F
u
l
l

P
r
o
x
y
I
n
d
e
p
e
n
d
e
n
t

c
l
i
e
n
t

&

s
e
r
v
e
r

c
o
n
n
e
c
t
i
o
n
s
SYN
SYN_ACK
ACK
Data
GET/HTTP 1.1
ACK
SYN
SYN_ACK
ACK
DataGET
ACK
ACK
Data
Data
HTTP/1.1 200 OK HTTP/1.1 200 OK
Client connection Server connection

SSL offload
TCP re-use
Protocol inspections
HTTP 1.1 pipelining

CiscoLive BRKAPP-3003

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CiscoLive BRKAPP-3003

Hochgeladen von

Copyright:

Verfügbare Formate

BRKAPP-3003

Troubleshooting the Application Control

HTTP L7 rules with HTTP 1.1

Das könnte Ihnen auch gefallen